criterion 1: does the company recognize online threats to freedom of expression and right to privacy as risks to its users through its policies and procedures?
criterion 2: does the company apply end-to-end encryption as a default?
criterion 3: does the company make users aware of threats to their privacy and freedom of expression, and how the company is responding through the use of encryption?
criterion 4: does the company disclose details of government requests for user data, and how it responds?
criterion 5: does the company publish technical details of its system of encryption?